Unable to renew cert, to create cert

Help
1

Before filling the fields asked, I shall explain what happened.
I work on a Raspberry pi 3 (with apache2) and, mysteriously, could never make crontab work, so I manually renewed my certificate every 50 days.
I’ve been doing so for several years.
Yesterday, I tried to renew my cert and this time it didn’t work.
I digged the problem, thought it was some kind of acme-challenge problem, i tried to repair my sites-available files (adding a rewriterule etc) but it remained broken.
Tired of all this, I wanted to start anew, I removed my cert, returned to a http working model.
It works : I can connect through network to my website in http.
But when I wanted to certbot-auto back again, the same problem appeared.
I hope I’m clear enough.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://lesmaths.ze.cx

I ran this command: certbot-auto --apache

It produced this output:
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: lesmaths.ddns.net
2: tables.dynu.com
3: crd.gotdns.ch
4: crd.ze.cx
5: lesmaths.ze.cx

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 5
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lesmaths.ze.cx
Waiting for verification…
Challenge failed for domain lesmaths.ze.cx
http-01 challenge for lesmaths.ze.cx
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: lesmaths.ze.cx
    Type: connection
    Detail: During secondary validation: Fetching
    http://lesmaths.ze.cx/.well-known/acme-challenge/xUcBHX5Eb19vd_BuhfwVCy5LP6D-DGfJlqIJVT7eqkg:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.10 (Raspbian)

The operating system my web server runs on is (include version): Raspbian GNU/Linux 8 (jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.3.0

Thank you so much if you can tell me what’s wrong.

aze291

EDIT : I went to https://letsdebug.net/, ran all the tests i could and everything seems well https://letsdebug.net/lesmaths.ze.cx/127778 but still, it doesn’t work.

2

Hi @aze291

During secondary validation is the new problem.

Read

So the main Letsencrypt servers are able to connect your domain (same with letsdebug), but the secondary servers are blocked.

Looks like you have a regional firewall that blocks -> remove these blocks.

1 Like
3

Thank you for your reply. I’ll try to solve this as soon as I get home.

Good day to you

aze291

1 Like
4

Hi there
I put down my firewall, I had the same problem.

I have another correlated question : because of the deprecation warning, i updated openssl and it’s now version 1.1.1g.
But i still have this deprecation warning for version 1.0.1.
It may be irrelevant… or a clue ?

Thank you

aze291

5

You may have more than one version of OpenSSL.
Please show results of these commands:

find / -name openssl
which openssl
6

find / -name openssl
gave out

/opt/eff.org/certbot/venv/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN32/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN32/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN32/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/BSD-x86_64/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/BSD-x86_64/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/BSD-x86_64/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/aix64-gcc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/aix64-gcc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/aix64-gcc/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/solaris64-x86_64-gcc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/solaris64-x86_64-gcc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/solaris64-x86_64-gcc/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-armv4/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-armv4/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-armv4/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN64-ARM/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-x32/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-x32/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-x32/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/aix-gcc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/aix-gcc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/aix-gcc/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/darwin64-x86_64-cc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/darwin64-x86_64-cc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/darwin64-x86_64-cc/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc64le/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc64le/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc64le/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-aarch64/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-aarch64/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-aarch64/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/darwin-i386-cc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/darwin-i386-cc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/darwin-i386-cc/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-x86_64/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-x86_64/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-x86_64/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux32-s390x/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux32-s390x/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux32-s390x/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc64/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc64/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-ppc64/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux64-s390x/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux64-s390x/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux64-s390x/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-elf/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-elf/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/linux-elf/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN64A/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN64A/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/VC-WIN64A/asm_avx2/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/solaris-x86-gcc/asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/solaris-x86-gcc/no-asm/include/openssl
/home/pi/node-v11.15.0-linux-armv7l/include/node/openssl/archs/solaris-x86-gcc/asm_avx2/include/openssl
/usr/share/doc/openssl
/usr/share/bash-completion/completions/openssl
/usr/share/lintian/overrides/openssl
/usr/bin/openssl
/usr/include/arm-linux-gnueabihf/openssl
/usr/include/openssl
/usr/local/include/node/openssl
/usr/local/include/node/openssl/archs/VC-WIN32/asm/include/openssl
/usr/local/include/node/openssl/archs/VC-WIN32/no-asm/include/openssl
/usr/local/include/node/openssl/archs/VC-WIN32/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/BSD-x86_64/asm/include/openssl
/usr/local/include/node/openssl/archs/BSD-x86_64/no-asm/include/openssl
/usr/local/include/node/openssl/archs/BSD-x86_64/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/aix64-gcc/asm/include/openssl
/usr/local/include/node/openssl/archs/aix64-gcc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/aix64-gcc/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/solaris64-x86_64-gcc/asm/include/openssl
/usr/local/include/node/openssl/archs/solaris64-x86_64-gcc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/solaris64-x86_64-gcc/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-armv4/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-armv4/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-armv4/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/VC-WIN64-ARM/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-x32/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-x32/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-x32/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/aix-gcc/asm/include/openssl
/usr/local/include/node/openssl/archs/aix-gcc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/aix-gcc/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/darwin64-x86_64-cc/asm/include/openssl
/usr/local/include/node/openssl/archs/darwin64-x86_64-cc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/darwin64-x86_64-cc/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc64le/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc64le/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc64le/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-aarch64/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-aarch64/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-aarch64/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/darwin-i386-cc/asm/include/openssl
/usr/local/include/node/openssl/archs/darwin-i386-cc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/darwin-i386-cc/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-x86_64/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-x86_64/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-x86_64/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux32-s390x/asm/include/openssl
/usr/local/include/node/openssl/archs/linux32-s390x/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux32-s390x/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc64/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc64/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-ppc64/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux64-s390x/asm/include/openssl
/usr/local/include/node/openssl/archs/linux64-s390x/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux64-s390x/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/linux-elf/asm/include/openssl
/usr/local/include/node/openssl/archs/linux-elf/no-asm/include/openssl
/usr/local/include/node/openssl/archs/linux-elf/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/VC-WIN64A/asm/include/openssl
/usr/local/include/node/openssl/archs/VC-WIN64A/no-asm/include/openssl
/usr/local/include/node/openssl/archs/VC-WIN64A/asm_avx2/include/openssl
/usr/local/include/node/openssl/archs/solaris-x86-gcc/asm/include/openssl
/usr/local/include/node/openssl/archs/solaris-x86-gcc/no-asm/include/openssl
/usr/local/include/node/openssl/archs/solaris-x86-gcc/asm_avx2/include/openssl
/usr/lib/ruby/2.1.0/openssl

and which openssl outputted /usr/bin/openssl

and /usr/bin/openssl version said OpenSSL 1.1.1g 21 Apr 2020

7

Hello there
It took me time : it is solved. Thank to you both, you’re perfect.
The problem was indeed a firewall that I didn’t remember having set. I had to list all services to find out which one was blocking.
:purple_heart:
Thank you again

aze291

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.